안녕하세요.
이번에는 Site to Site VPN with Wizard을 알아보도록 하겠습니다.
EVE-NG에서 아래처럼 토폴로지를 연결 합니다.
FW01: Port1 192.168.100.1 MGMT 및 WAN 으로 사용
FW01: Port4 Trunk
VL10 172.17.70.254/24 - LAN
VL20 172.17.71.254.24 - LAN
VL30 172.17.72.254.24 - LAN
VL40 172.17.73.254/24- LAN
FW02: Port 192.168.100.2 MGMT 및 WAN으로 사용
FW02: Port4 10.1.1.1/24
SW01: Int vlan10: 172.17.70.1/24
Int vlan20: 172.17.71.1/24
Int vlan30: 172.17.72.1/24
Int vlan40: 172.17.73.1/24
SW02: int Gi/0/0 10.1.1.1
FW01 MGMT Interface를 설정 합니다.
| FortiGate-VM64-KVM # show config system interface edit "port1" set vdom "root" set mode dhcp set allowaccess ping https ssh http fgfm set type physical set snmp-index 1 |
디폴트값에서 아래와 같이 수정합니다.
| FortiGate-VM64-KVM # config system interface FortiGate-VM64-KVM (interface) # edit port1 FortiGate-VM64-KVM (port1) # set mode static FortiGate-VM64-KVM (port1) # set ip 192.168.100.1 255.255.255.0 FortiGate-VM64-KVM (port1) # show config system interface edit "port1" set vdom "root" set ip 192.168.100.1 255.255.255.0 set allowaccess ping https ssh http fgfm set type physical set snmp-index 1 next end |
디폴트 게이트웨이를 설정 합니다.
| FortiGate-VM64-KVM # config router static FortiGate-VM64-KVM (static) # edit 1 new entry '1' added 놰 FortiGate-VM64-KVM (1) # set dst 0.0.0.0/0 FortiGate-VM64-KVM (1) # set gateway 192.168.100.253 FortiGate-VM64-KVM (1) # set device port1 FortiGate-VM64-KVM (1) # end FortiGate-VM64-KVM # |
라우팅 테이블 확인
| FortiGate-VM64-KVM # get router info routing-table details show routing table details information all show all routing table entries rip show rip routing table ospf show ospf routing table bgp show bgp routing table isis show isis routing table static show static routing table connected show connected routing table database show routing information base FortiGate-VM64-KVM # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 192.168.100.253, port1, [1/0] C 192.168.100.0/24 is directly connected, port1 |
FW01 MGMT에 Ping 확인
FW02 설정하기
IP설정
| FortiGate-VM64-KVM # config system interface FortiGate-VM64-KVM (interface) # edit port1 FortiGate-VM64-KVM (port1) # set mode static FortiGate-VM64-KVM (port1) # set ip 192.168.100.2 255.255.255.0 FortiGate-VM64-KVM (port1) # show config system interface edit "port1" set vdom "root" set ip 192.168.100.2 255.255.255.0 set allowaccess ping https ssh http fgfm set type physical set snmp-index 1 next end |
디폴트게이트웨이 설정
| FortiGate-VM64-KVM # config router static FortiGate-VM64-KVM (static) # edit 1 new entry '1' added 놰 FortiGate-VM64-KVM (1) # set dst 0.0.0.0/0 FortiGate-VM64-KVM (1) # set gateway 192.168.100.253 FortiGate-VM64-KVM (1) # set device port1 FortiGate-VM64-KVM (1) # end FortiGate-VM64-KVM # |
라우팅 테이블 확인
| FortiGate-VM64-KVM # get router info routing-table details show routing table details information all show all routing table entries rip show rip routing table ospf show ospf routing table bgp show bgp routing table isis show isis routing table static show static routing table connected show connected routing table database show routing information base FortiGate-VM64-KVM # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 192.168.100.253, port1, [1/0] C 192.168.100.0/24 is directly connected, port1 |
FW02 MGMT IP ping확인
FW01 GUI 장비 접속
FW02 GUI 장비 접속
이렇게 장비 접속까지는 완료 하였습니다.
디폴트 Hostname를 FW01변경 하겠습니다.
System -> Settings -> Host name
아래 처럼 FW01로 변경하고 Save 버튼을 클릭 합니다.
LAN interface 설정하기
Network -> Interfaces -> Create New버튼을 클릭 합니다.
VL10 설정 정보
VL20 설정 정보
VL30 정보
VL40
port4번에 VLAN interface들 확인하기
SW01 기본 설정
| en conf t no ip domain-lookup hostname sw01 line con 0 exec-time 0 logg syn end |
Int g0/0 Trunk 설정
| en conf t interface GigabitEthernet0/0 switchport trunk encapsulation dot1q switchport mode trunk no shutdown end |
VLAN 설정 그리고 SVI 설정하기
| en conf t vlan 10 vlan 20 vlan 30 vlan 40 \interface Vlan10 ip address 172.17.70.1 255.255.255.0 no shutdown interface Vlan20 ip address 172.17.71.1 255.255.255.0 no shutdown interface Vlan30 ip address 172.17.72.1 255.255.255.0 no shutdown interface Vlan40 ip address 172.17.73.1 255.255.255.0 no shutdown end |
SVI interface 상태 확인
| SW1#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES unset up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up Vlan10 172.17.70.1 YES manual up up Vlan20 172.17.71.1 YES manual up up Vlan30 172.17.72.1 YES manual up up Vlan40 172.17.73.1 YES manual up up SW1# |
Default Gateway 설정
| en conf t ip route 0.0.0.0 0.0.0.0 172.17.70.254 |
라우팅 테이블 확인
| SW1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 172.17.70.254 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 172.17.70.254 172.17.0.0/16 is variably subnetted, 8 subnets, 2 masks C 172.17.70.0/24 is directly connected, Vlan10 L 172.17.70.1/32 is directly connected, Vlan10 C 172.17.71.0/24 is directly connected, Vlan20 L 172.17.71.1/32 is directly connected, Vlan20 C 172.17.72.0/24 is directly connected, Vlan30 L 172.17.72.1/32 is directly connected, Vlan30 C 172.17.73.0/24 is directly connected, Vlan40 L 172.17.73.1/32 is directly connected, Vlan40 SW1# |
Default Gateway Ping Test from SW01
| SW1#ping 172.17.70.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.17.70.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/5/18 ms SW1# |
이렇게 SW01 기본설정 까지 완료 하였습니다.
이번에는 FW02 설정하겠습니다.
디폴트 hostname를 FW02로 변경하고 Apply버튼을 클릭합니다
LAN 인터페이스 설정 정보
SW02 기본설정
| en conf t no ip domain-lookup hostname sw02 line con 0 exec-time 0 logg syn end |
Int g0/0 IP설정
| interface GigabitEthernet0/0 no switchport ip address 10.1.1.1 255.255.255.0 no shutdown end |
인터페이스 확인
| SW2#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet0/0 10.1.1.1 YES manual up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up SW2# |
Default-gateway 설정
| ip route 0.0.0.0 0.0.0.0 10.1.1.254 |
라우팅 테이블 확인
| SW2#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 10.1.1.254 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.1.1.254 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 L 10.1.1.1/32 is directly connected, GigabitEthernet0/0 SW2# |
Default Gateway ping test from SW02
| SW2#ping 10.1.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms SW2# |
Site to SIte VPN를 테스트 하기 위해서 기본 설정을 다 하였습니다.
FW01에서 VPN -> IPsec Wizard
Name: S2S VPN
그리고 next를 클릭 합니다.
Remote IP: 192.168.100.2 -> 상대방 WAN IP주소 입니다. 이 주소는 서로간에 Ping이 가능해야지 IPsec vpn연결이 가능 합니다.
Outgoing Interface: WAN(port1)
Pre-sahre Key: CiscoCisco
그리고 next를 선택 합니다.
Local Subnet:
172.17.70.0/24
172.17.71.0/24
172.17.72.0/24
172.17.73.0/24
Remote Subnet
10.1.1.0/24
Interface access: None를 설정합니다. 이유는 위에 IP대역에 대해서만 IPsec VPN 터널를 타고 마너지 트래픽은 로컬 ISP01인터넷을 사용합니다.
아래 정보를 확인하고 Create를 클릭 합니다.
아래처럼 S2S VPN 터널이 자동으로 생성 되었습니다.
FW02도 똑같이 설정 합니다.
Remote IP: FW01 WAN에 IP를 입력합니다.
outging interface: WAN(port1)
Pre-shared Key: CiscoCisco
Local Subnet: 10.1.1.0/24
Remote Subnet: 172.17.70.0/24
172.17.71.0/24
172.17.72.0/24
172.17.73.0/24
아래 정보값을 확인후 맞으면 Create버튼을 클릭 합니다.
터널을 확인합니다.
현재 Traffic이 없기 때문에 터널이 Down 입니다.
Traffic를 발생해 보겠습니다.
방화벽에서 자체적으로 Tunnel쪽으로 Traffic를 발생 시켜서 Tunnel를 강제로 UP를 유지 할수 있습니다.
아래 처럼 auto-negotiate를 선택하면 자동으로 Autokey keep alive도 선택 됩니다.
FW02도 똑같이 설정합니다.
그리고 터널 인터페이스를 확인 합니다.
터널이 UP되었습니다.
SW01에서 SW02로 Ping시도
| SW1#ping 10.1.1.1 source vlan10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: Packet sent with a source address of 172.17.70.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/14/39 ms SW1# |
SW02에서 SW01 ping시도
| SW2#ping 172.17.70.1 source g0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.17.70.1, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/18 ms SW2# |
이렇게 Site to Site VPN를 통해서 서로 ping이 가능 합니다.
이번에는 VPC 4생성하고 아래와 같이 연결 합니다.
SW01 Gi1/0 VLAN10 - PC01 172.17.70.100/24 GW 172.17.70.254
SW01 Gi1/0 VLAN20 - PC02 172.17.71.100/24 GW 172.17.71.254
SW01 Gi1/0 VLAN30 - PC03 172.17.72.100/24 GW 172.17.72.254
SW01 Gi1/0 VLAN40 - PC04 172.17.73.100/24 GW 172.17.73 254
SW01 설정
| en conf t interface GigabitEthernet1/0 switchport access vlan 10 switchport mode access no shutdown interface GigabitEthernet1/1 switchport access vlan 20 switchport mode access no shutdown end interface GigabitEthernet1/2 switchport access vlan 30 switchport mode access no shutdown interface GigabitEthernet1/3 switchport access vlan 40 switchport mode access no shutdown end |
PC01부터 04까지 IP및 디폴트 케이트웨이 설정
| VPCS> ip 172.17.70.100 255.255.255.0 gateway 172.17.70.254 Checking for duplicate address... VPCS : 172.17.70.100 255.255.255.0 gateway 172.17.70.254 VPCS> show ip NAME : VPCS[1] IP/MASK : 172.17.70.100/24 GATEWAY : 172.17.70.254 DNS : MAC : 00:50:79:66:68:3f LPORT : 20000 RHOST:PORT : 127.0.0.1:30000 MTU : 1500 VPCS> VPCS> ip 172.17.71.100 255.255.255.0 gateway 172.17.71.254 Checking for duplicate address... VPCS : 172.17.71.100 255.255.255.0 gateway 172.17.71.254 VPCS> show ip NAME : VPCS[1] IP/MASK : 172.17.71.100/24 GATEWAY : 172.17.71.254 DNS : MAC : 00:50:79:66:68:40 LPORT : 20000 RHOST:PORT : 127.0.0.1:30000 MTU : 1500 VPCS> VPCS> ip 172.17.72.100 255.255.255.0 gateway 172.17.72.254 Checking for duplicate address... VPCS : 172.17.72.100 255.255.255.0 gateway 172.17.72.254 VPCS> show ip NAME : VPCS[1] IP/MASK : 172.17.72.100/24 GATEWAY : 172.17.72.254 DNS : MAC : 00:50:79:66:68:41 LPORT : 20000 RHOST:PORT : 127.0.0.1:30000 MTU : 1500 VPCS> VPCS> ip 172.17.73.100 255.255.255.0 gateway 172.17.73.254 Checking for duplicate address... VPCS : 172.17.73.100 255.255.255.0 gateway 172.17.73.254 VPCS> show ip NAME : VPCS[1] IP/MASK : 172.17.73.100/24 GATEWAY : 172.17.73.254 DNS : MAC : 00:50:79:66:68:42 LPORT : 20000 RHOST:PORT : 127.0.0.1:30000 MTU : 1500 VPCS> |
PC01(172.17.70.100)에서 SW02(10.1.1.1) Ping 시도
| VPCS> ping 10.1.1.1 84 bytes from 10.1.1.1 icmp_seq=1 ttl=253 time=59.607 ms 84 bytes from 10.1.1.1 icmp_seq=2 ttl=253 time=9.527 ms 84 bytes from 10.1.1.1 icmp_seq=3 ttl=253 time=9.599 ms 84 bytes from 10.1.1.1 icmp_seq=4 ttl=253 time=10.493 ms 84 bytes from 10.1.1.1 icmp_seq=5 ttl=253 time=9.694 ms VPCS> |
PC02(172.17.71.100)에서 SW02(10.1.1.1) Ping 시도
| VPCS> ping 10.1.1.1 84 bytes from 10.1.1.1 icmp_seq=1 ttl=253 time=18.606 ms 84 bytes from 10.1.1.1 icmp_seq=2 ttl=253 time=8.886 ms 84 bytes from 10.1.1.1 icmp_seq=3 ttl=253 time=8.346 ms 84 bytes from 10.1.1.1 icmp_seq=4 ttl=253 time=11.557 ms 84 bytes from 10.1.1.1 icmp_seq=5 ttl=253 time=8.162 ms VPCS> |
PC03(172.17.72.100)에서 SW02(10.1.1.1) Ping 시도
| VPCS> ping 10.1.1.1 84 bytes from 10.1.1.1 icmp_seq=1 ttl=253 time=10.669 ms 84 bytes from 10.1.1.1 icmp_seq=2 ttl=253 time=54.042 ms 84 bytes from 10.1.1.1 icmp_seq=3 ttl=253 time=15.635 ms 84 bytes from 10.1.1.1 icmp_seq=4 ttl=253 time=62.423 ms 84 bytes from 10.1.1.1 icmp_seq=5 ttl=253 time=418.343 ms VPCS> |
PC04(172.17.73.100)에서 SW02(10.1.1.1) Ping 시도
| VPCS> ping 10.1.1.1 84 bytes from 10.1.1.1 icmp_seq=1 ttl=253 time=8.883 ms 84 bytes from 10.1.1.1 icmp_seq=2 ttl=253 time=7.573 ms 84 bytes from 10.1.1.1 icmp_seq=3 ttl=253 time=10.828 ms 84 bytes from 10.1.1.1 icmp_seq=4 ttl=253 time=12.965 ms 84 bytes from 10.1.1.1 icmp_seq=5 ttl=253 time=8.135 ms VPCS> |
이렇게 두개 지점에 Fortigate 방화벽에 Site to Site VPN를 이용해서 통신 하는 방법에 대해서 알아보았습니다.
다음장에서는 Wizard를 이용해서 Site to Site VPN를 설정했을떄 어떤부분이 자동으로 생성이 되는지 확인해보겠습니다.
지금까지 글을 읽어주셔서 감사합니다.
'FORTINET > FORTIGATE 방화벽' 카테고리의 다른 글
| [Fortigate-#1]-MGMT IP Configuration (0) | 2024.11.06 |
|---|---|
| [Fortigate]-add new license into forticloud (0) | 2024.10.07 |
| [Fortigate]-Firewall register to FortiCloud (0) | 2024.10.06 |